Skip to content

chore: bump Trivy 0.69.3→0.70.0, auto-close stale vuln PRs, restrict push to default branch#69

Open
hsri-pf9 wants to merge 1 commit into
masterfrom
update/trivy-0.70.0
Open

chore: bump Trivy 0.69.3→0.70.0, auto-close stale vuln PRs, restrict push to default branch#69
hsri-pf9 wants to merge 1 commit into
masterfrom
update/trivy-0.70.0

Conversation

@hsri-pf9
Copy link
Copy Markdown

@hsri-pf9 hsri-pf9 commented May 30, 2026

Summary

  • Bumps pinned Trivy version in .github/workflows/security-scan.yml from 0.69.3 to 0.70.0 (where applicable)
  • Adds Close Stale Vulnerability PR (if clean) step to each scanner job (gosec/bandit/trivy) — automatically closes the report PR when a subsequent scan finds no HIGH/CRITICAL vulnerabilities
  • Restricts on.push.branches to the default branch only, removing all other branches

Changes

Trivy version bump

  • trivy=0.69.3trivy=0.70.0

Auto-close stale vulnerability PRs

Adds a close step to each scanner job that runs only on push when no HIGH/CRITICAL vulnerabilities are found, finds any open PR on the auto/<scanner>-scan/<branch> branch and closes it with a comment.

Push trigger cleanup

  • Removed all non-default branches from on.push.branches

Test plan

  • CI installs the correct Trivy version (0.70.0) on this PR
  • Merge a fix to a branch that has an open vulnerability report PR and confirm the report PR is auto-closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hsri-pf9